Who is really responsible for the Information Security Management System (ISMS)?

A Common Problem

We often find organisations where the Information Security team believe the next external audit could mean the demise of the ISMS. They know that the necessary stipulations have not been fulfilled during the last 12 months or longer. They also know that this is likely to be due to disjointedness within the organisation, and ultimately, a lack of clear leadership. They have struggled to persuade colleagues to comply with the requirements of the ISMS. They see the Certifying Authority threat of discontinued ISO certification from the as the only way to change attitudes, especially at the top of the organisation.

The International Organization for Standardization (ISO) suggests that in some businesses “leadership from the business owner” ¹  is required. However, this is slightly confused in vocabulary standards such as ISO 9000 and ISO/IEC 27000, where the following language is used: “If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization” . ²

Many organisations prefer to start on the ISMS journey by limiting the scope to the organisation’s Information Technology / Information Management. Taking such a literal approach from the guidance, however, can lead to a scenario where business owners (CEOs / MDs) believe they are absolved of their responsibility for the ISMS as they come to believe the management system is in safe hands under IT/IM management.

There is a simple test in this scenario to establish if the ISMS is in the right hands. Imagine the IT Director approves a technical process that involves taking down operational systems during normal business hours. If there is somebody else in the organisation who can overrule the IT Director and prevent the process from taking place, then the ISMS is in the wrong hands.

This scenario is likely to lead to further undesirable consequences:

  • The IT Director’s information security leadership will be brought into question and may even be considered weak;
  • The external auditor will record their concerns around leadership as part of the audit, and will likely instigate further investigations;
  • Any negligence in the area of leadership would normally be reported as a Major Non-conformity as it represents a major stipulation within the Standard.

A Better Approach

We recommend establishing board-level ‘accountability’ for the ISMS. ‘Responsibility’ for its management may be delegated, but accountability must rest with those at the top of the organisation.

Most ISO management systems (certainly all those which follow Annex SL; 9001, 14001 and 27001) have a stipulation for Management Reviews. We recommend that Management Review meetings are held regularly (e.g. twice a year) and include board-level representation. They will be in the best position to report on any changes in external and internal strategic matters that could be relevant to the ISMS. They will need to be made aware of, and perhaps could report in to the meeting any feedback on, the organisation’s information security performance. They will need to be informed of information security nonconformities and the results from monitoring, measurement and audit activities. They may know why the nonconformities have come about, or they may be in the best position to propose the most effective corrective actions.

Policy for the ISMS needs to be written (signed off) by the head of the business in full knowledge of the requirements of the business, but with observance of all information security risks and mitigation options. The CEO/MD will be forgiven for not being the most IT-aware member of the business, but this doesn’t mean they cannot be counselled, where necessary, by the organisation’s IT experts. Contrary to popular belief the ISMS is not all about IT, it’s about leadership with an information security flavour.

In conclusion, the ISMS should be overseen by organisational leadership who know the organisation’s strategy, are aware (or can be made aware by their experts) of the ever-changing risks to the ISMS and the risk mitigation options, and should be the ones setting policy, based on the strategy, in balance of those risks.

How Regency Can Help

Regency ISO/IEC 27001 Lead Auditor consultants have a long track record in helping customers meet and maintain ISO/IEC 27001 requirements both in the UK and abroad. From initial assessment, through designing a pragmatic and effective ISMS, to audit support and ISMS maintenance, we provide a low-risk approach to achieving and maintaining ISO/IEC 27001 certification.

We won’t leave you with a library of standard templates that need experts to decipher. We will be with you every step of the way, including during your Certification Audit, confirming our support meets with the expectations of the Certifying Authority. We’ll be there to get you over the initial line but will be on hand for guidance, if you need us, in the months and years to follow as your ISMS matures.

If you would like to explore how Regency can help your organisation, please contact us on our office number 01242 225699 or email enquiries@regencyitc.co.uk

¹ Source: https://www.iso.org/management-system-standards.html
² Source: ISO/IEC 27000:2018